github.com/hanks177/podman/v4@v4.1.3-0.20220613032544-16d90015bc83/docs/source/markdown/podman-image-trust.1.md (about) 1 % podman-image-trust(1) 2 3 ## NAME 4 podman\-image\-trust - Manage container registry image trust policy 5 6 7 ## SYNOPSIS 8 **podman image trust** set|show [*options*] *registry[/repository]* 9 10 ## DESCRIPTION 11 Manages which registries you trust as a source of container images based on its location. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) 12 13 The location is determined 14 by the transport and the registry host of the image. Using this container image `docker://docker.io/library/busybox` 15 as an example, `docker` is the transport and `docker.io` is the registry host. 16 17 Trust is defined in **/etc/containers/policy.json** and is enforced when a user attempts to pull 18 a remote image from a registry. The trust policy in policy.json describes a registry scope (registry and/or repository) for the trust. This trust can use public keys for signed images. 19 20 The scope of the trust is evaluated from most specific to the least specific. In other words, a policy may be defined for an entire registry. Or it could be defined for a particular repository in that registry. Or it could be defined down to a specific signed image inside of the registry. 21 22 For example, the following list includes valid scope values that could be used in policy.json from most specific to the least specific: 23 24 docker.io/library/busybox:notlatest 25 docker.io/library/busybox 26 docker.io/library 27 docker.io 28 29 If no configuration is found for any of these scopes, the default value (specified by using "default" instead of REGISTRY[/REPOSITORY]) is used. 30 31 Trust **type** provides a way to: 32 33 Allowlist ("accept") or 34 Denylist ("reject") registries or 35 Require signature (“signedBy”). 36 37 Trust may be updated using the command **podman image trust set** for an existing trust scope. 38 39 ## OPTIONS 40 #### **--help**, **-h** 41 Print usage statement. 42 43 ### set OPTIONS 44 45 #### **--pubkeysfile**=*KEY1*, **-f** 46 A path to an exported public key on the local system. Key paths 47 will be referenced in policy.json. Any path to a file may be used but locating the file in **/etc/pki/containers** is recommended. Options may be used multiple times to 48 require an image be signed by multiple keys. The **--pubkeysfile** option is required for the **signedBy** type. 49 50 #### **--type**=*value*, **-t** 51 The trust type for this policy entry. 52 Accepted values: 53 **signedBy** (default): Require signatures with corresponding list of 54 public keys 55 **accept**: do not require any signatures for this 56 registry scope 57 **reject**: do not accept images for this registry scope 58 59 ### show OPTIONS 60 61 #### **--json**, **-j** 62 Output trust as JSON for machine parsing 63 64 #### **--noheading**, **-n** 65 Omit the table headings from the trust listings 66 67 #### **--raw** 68 Output trust policy file as raw JSON 69 70 ## EXAMPLES 71 72 Accept all unsigned images from a registry 73 74 sudo podman image trust set --type accept docker.io 75 76 Modify default trust policy 77 78 sudo podman image trust set -t reject default 79 80 Display system trust policy 81 82 podman image trust show 83 ``` 84 TRANSPORT NAME TYPE ID STORE 85 all default reject 86 repository docker.io/library accept 87 repository registry.access.redhat.com signed security@redhat.com https://access.redhat.com/webassets/docker/content/sigstore 88 repository registry.redhat.io signed security@redhat.com https://registry.redhat.io/containers/sigstore 89 repository docker.io reject 90 docker-daemon accept 91 ``` 92 93 Display trust policy file 94 95 podman image trust show --raw 96 ``` 97 { 98 "default": [ 99 { 100 "type": "reject" 101 } 102 ], 103 "transports": { 104 "docker": { 105 "docker.io": [ 106 { 107 "type": "reject" 108 } 109 ], 110 "docker.io/library": [ 111 { 112 "type": "insecureAcceptAnything" 113 } 114 ], 115 "registry.access.redhat.com": [ 116 { 117 "type": "signedBy", 118 "keyType": "GPGKeys", 119 "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" 120 } 121 ], 122 "registry.redhat.io": [ 123 { 124 "type": "signedBy", 125 "keyType": "GPGKeys", 126 "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" 127 } 128 ] 129 }, 130 "docker-daemon": { 131 "": [ 132 { 133 "type": "insecureAcceptAnything" 134 } 135 ] 136 } 137 } 138 } 139 ``` 140 141 Display trust as JSON 142 143 podman image trust show --json 144 ``` 145 [ 146 { 147 "transport": "all", 148 "name": "* (default)", 149 "repo_name": "default", 150 "type": "reject" 151 }, 152 { 153 "transport": "repository", 154 "name": "docker.io", 155 "repo_name": "docker.io", 156 "type": "reject" 157 }, 158 { 159 "transport": "repository", 160 "name": "docker.io/library", 161 "repo_name": "docker.io/library", 162 "type": "accept" 163 }, 164 { 165 "transport": "repository", 166 "name": "registry.access.redhat.com", 167 "repo_name": "registry.access.redhat.com", 168 "sigstore": "https://access.redhat.com/webassets/docker/content/sigstore", 169 "type": "signed", 170 "gpg_id": "security@redhat.com" 171 }, 172 { 173 "transport": "repository", 174 "name": "registry.redhat.io", 175 "repo_name": "registry.redhat.io", 176 "sigstore": "https://registry.redhat.io/containers/sigstore", 177 "type": "signed", 178 "gpg_id": "security@redhat.com" 179 }, 180 { 181 "transport": "docker-daemon", 182 "type": "accept" 183 } 184 ] 185 ``` 186 187 ## SEE ALSO 188 **[containers-policy.json(5)](https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md)** 189 190 ## HISTORY 191 January 2019, updated by Tom Sweeney (tsweeney at redhat dot com) 192 December 2018, originally compiled by Qi Wang (qiwan at redhat dot com)